We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Could Your Medical Device Be a Hacker’s Gateway into a Hospital Network?

This has been a big year for health care data breaches. In January, the data of 80 million Anthem members was compromised; in March, a cyberattack exposed the data of 11.2 million Premera BlueCross BlueShield members and business affiliates; and in May, the data of 1.1 million CareFirst BlueCross BlueShield members met the same fate. Hackers’ methods of accessing health care networks are becoming more creative, and include infiltration through medical devices.

Six years ago, for the first time, the number of “things” connected to the Internet surpassed the number of people, according to a January 2015 Federal Trade Commission report, “Internet of Things: Privacy & Security in a Connected World.“ Experts estimate that by the end of 2015, there will be 25 billion connected devices— and that by 2020, there will be 50 billion. While these devices can significantly improve the lives and health of consumers worldwide, they also pose sizable risks.

Hospital networks are prime targets for hackers because many contain vast amounts of highly personalized and confidential data, and hackers have developed new methods of breaching hospital networks through hospital patients’ medical devices. In June 2015, TrapX, a firm specializing in deception-based cybersecurity defense, released a report that found attackers targeted and compromised radiology picture archive and communications systems and blood gas analyzers to gain access to the hospital networks. The TrapX report even suggested that an attacker could remotely hack a hospital drug pump and modify the amount of medication to a fatal dose.

Both the Food and Drug Administration and the FTC have provided guidance on cybersecurity in medical devices. In late 2014, the FDA issued final guidance calling for manufacturers to consider cybersecurity risks in designing and developing medical devices. Shortly thereafter, the FTC issued guidance on best practices for privacy and security protection, including guidance on the design, deployment, and management of medical devices.

Everyone involved in the development and maintenance of medical devices must be aware of the applicable cybersecurity risks, and take appropriate safeguards to ensure patient safety and privacy. These include the device developers, the providers who maintain them, and the consumers who use them. Compliance with the nonmandatory guidance and best practices issued by the FTC and FDA offer a good starting point.